The Court of Justice of the European Union has ruled that an entity may be regarded as a controller of personal data if it has instructed an undertaking to develop a computer application, even if it has not carried out personal data processing operations itself.
It has also been established that the use of personal data for the purpose of computer testing of an application constitutes processing, unless the data have been rendered anonymous so that the data subject is no longer identifiable or the data are virtual data.
The entity which has commissioned an undertaking to develop a computer application and which has participated in determining the purposes and means of the data processing carried out by means of the application shall be regarded as the controller of personal data even if it has not carried out personal data processing operations itself.
The entity will not be considered a controller of personal data unless, prior to that application being made available to the public, that entity expressly objected to such making available and to the resulting processing of personal data.
By the same decision, it was established that a controller may not be fined where the processor has processed personal data for its own purposes, in a way incompatible with the framework or arrangements for processing or in such a manner that it cannot reasonably be considered that that controller consented to such processing.